Perpetual IT

Facebook Messenger may ban mass-forwarding of messages in an effort to lasso the runaway forwarding of COVID-19 fake news and rumors, it confirmed on Sunday.

Facebook has done this before when its other messaging services have gone berserk with forwarding hysterical misinformation – misinformation that led to people getting lynched in the fake-news crisis that seized India, Myanmar and Sri Lanka in 2018.

India was torn apart as rumors spread virally on social media sparked dozens of mob lynchings. Over the period of 18 months, 33 people were killed and at least 99 injured in 69 reported lynchings. At least 18 of those incidents were specifically linked to WhatsApp.

In July 2018, the Facebook-owned company said that it would limit forwarding to everyone using WhatsApp, with the limit being most restrictive in India, where people forward more messages, photos and videos than any other country in the world. In India, WhatsApp tested a lower limit of 5 chats at once and removed quick-forward button next to media messages. WhatsApp also imposed a larger limit globally of 20 recipients.

In January 2019, WhatsApp applied the lower limit of five forwarded chats on a global scale.

On Saturday, Jane Manchun Wong, a hacker who reverse-engineers apps, spotted Facebook’s test of a new feature in Messenger: a 5-chat forwarding limit. She tweeted an example of how it might work that she’d found hidden inside the app.

A Facebook spokesperson confirmed that the company’s working on limiting the spread of misinformation on Messenger. This was Alexandru Voica’s response to Wong’s tweet:

We’re working hard to limit the spread of misinfo on our platforms, especially with #COVID19, and we’re exploring more options like testing stricter limits for how many chats you can fwd a message to at one time. This feature is still in development and not testing externally yet

The confirmation of the new feature came as Facebook announced it would try to use Messenger to help health organizations push out accurate coronavirus information.

On Monday, Facebook Messenger said it’s launching a new program to help government health organizations and UN health agencies team up with developers so they can use the social network’s messaging service to share accurate information and respond to people’s questions. Developers will help these groups for free in the wake of the pandemic, showing these critical organizations how to use Messenger to share timely information with local communities and speed up their replies to commonly asked questions with tools like automated responses.

Facebook Messenger is also starting an online hackathon, inviting developers to come up with messaging solutions that help with things such as physical distancing and getting access to accurate information. Participants will get special access to Messenger tools and content as well as educational materials from Facebook to support their innovation. Facebook engineers will be mentoring the winners to “help make their idea a reality,” the company says.

Latest Naked Security podcast

If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.

The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.

Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.

That happened in late 2016. Shortly after, the documents suggest, the FSB decided to get in on the act by commissioning its own botnet that would infect and control connected small footprint devices. The evidence apparently shows a procurement order from unit 64829, an internal FSB department, for a project put together in 2017 and 2018. They reference Mirai, suggesting that the FSB could develop something similar.

BBC Russia, which saw the 12 documents in the dumped cache first hand, said they refer to three variations of the project: Fronton, Fronton-3D, and Fronton-18. Each describes a botnet of infected IoT devices under the FSB’s control.

The documents include a schematic of victims’ computers communicating with back-end servers via a range of VPNs to anonymise the chain of command. The diagram shows the back-end servers connecting via the Tor anonymous onion routing system to a search server that apparently indexes the infected boxes.

The FSB seems to be at pains to hide the botnet’s origin. BBC Russia found this specification among the documents (translated):

The use of the Russian language and a connected Cyrillic alphabet is excluded, authorization is required to access the server.

The design instructions are said to detail the targeting of security cameras and digital video recorders almost exclusively, adding that because they are able to send video they would be useful source points for DDoS attacks.

Digital Revolution is a group dedicated to exposing FSB projects online. It has dropped file collections allegedly from the Russian agency before, including 170Mb of files related to projects that would scrape social networks for user data and intercept traffic using fake Tor relays.

As with last year’s 170Mb file drop, this hack details third-party contractors that the FSB appears to have enlisted to carry out the work. The primary contractor was reportedly InformInvestGroup, a Russian company that has worked extensively with the Russian Ministry of Internal Affairs. The documents suggest that this company subcontracted at least some of the work to another, called 0day (LLC 0DT), in Moscow.

Latest Naked Security podcast

A free coronavirus vaccine from the World Health Organization (WHO), for only $4.95 to cover shipping costs?!?

Nah, we didn’t think so, either. On Sunday, the US Department of Justice (DOJ) announced that it shut down what it called a wire fraud scheme being carried out by the operators of a site in order to squeeze profit from the confusion and widespread fear surrounding COVID-19 – by promising to ship coronavirus vaccine kits that don’t actually exist.

Let us state the obvious, or, rather, quote the DOJ’s statement as it states the obvious:

There are currently no legitimate COVID-19 vaccines and the WHO is not distributing any such vaccine.

The site – now offline but available as an exhibit attached to the DOJ’s civil complaint – was offering consumers access to WHO vaccine kits in exchange for a shipping charge of $4.95, which consumers would pay by entering their credit card information on the website.

Per DOJ request, US District Judge Robert Pitman issued a temporary restraining order requiring that the registrar of the scam site – listed as NameCheap in its Whois Record – immediately take action to block public access to it.

The DOJ says that this is its first enforcement action taken against COVID-19 fraud. Dollars to donuts says it won’t be the last, given that we’ve seen plenty of cyberscum trying to make money off of people’s misery and uncertainty.

Coronavirus-themed cybercrime

We’ve seen:

• Android malware that uses COVID-19 for a combination of sextortion and ransomware.
• A phishing scam hiding behind the mask of the WHO to offer coronavirus “safety measures” and to steal your credentials.
• A disinformation campaign carried out via SMS, email and social media that lied about a national quarantine of the US being imminent. The campaign coincided with a distributed denial of service (DDoS) attack on the place where people in the US go to get their health news: the US Department of Health and Human Services (HHS).

The DOJ says it’s still investigating the site, coronavirusmedicalkit.com. As of Sunday, investigators didn’t know who its operators are. The tech contact for the site is listed on the WhoIs registry as WhoIsGuard Protected, with an address in Panama and an IP address coming out of Lansing, Michigan, though who knows where its server is really hosted. It’s easy to obscure an IP address location through techniques such as using a virtual private network or Tor, for example.

What to do

The DOJ has the following slew of precautionary measures to take in order to keep from getting snared in any of the emerging COVID-19 scams. If they sound exactly like the general tips for staying safe online that we pass out all the time, that’s for a good reason: the crooks are always out there trying to scam us, and the pandemic is the most recent attention grabber that they’re hoping to use to exploit us, catching us when we’re feeling panicky and unsure of what to do.

Do what you normally do to stay safe online, in other words. Just beware that there’s a new angle the crooks are trying to leverage to get your attention, your financial details, your personally identifiable information (PII) and whatever else they can swipe. To say safe, make sure to take these steps:

• Independently verify the identity of any company, charity, or individual that contacts you regarding COVID-19.
• Check the websites and email addresses offering information, products, or services related to COVID-19. Be aware that scammers often employ addresses that differ only slightly from those belonging to the entities they are impersonating. For example, they might use “cdc.com” or “cdc.org” instead of “cdc.gov.”
• Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes. Legitimate health authorities will not contact the general public this way.
• Do not click on links or open email attachments from unknown or unverified sources. Doing so could download a virus onto your computer or device.
• Make sure the anti-malware and anti-virus software on your computer is operating and up to date.
• Ignore offers for a COVID-19 vaccine, cure or treatment. Remember, if a vaccine becomes available, you won’t hear about it for the first time through an email, online ad, or unsolicited sales pitch.
• Check online reviews of any company offering COVID-19 products or supplies. Avoid companies whose customers have complained about not receiving items.
• Research any charities or crowdfunding sites soliciting donations in connection with COVID-19 before giving any donation. Remember, an organization may not be legitimate even if it uses words like “CDC” or “government” in its name or has reputable looking seals or logos on its materials. For online resources on donating wisely, visit the Federal Trade Commission (FTC) website.
• Be wary of any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. Don’t send money through any of these channels.
• Be cautious of “investment opportunities” tied to COVID-19, especially those based on claims that a small company’s products or services can help stop the virus. If you decide to invest, carefully research the investment beforehand. For information on how to avoid investment fraud, visit the U.S. Securities and Exchange Commission (SEC) website.

For the most up-to-date information on COVID-19, visit the Centers for Disease Control and Prevention (CDC) and WHO websites.

The DOJ is urging people in the US to report suspected fraud schemes related to COVID-19 by calling the National Center for Disaster Fraud (NCDF) hotline (1-866-720-5721) or by emailing the NCDF at disaster@leo.gov.

In the UK, contact Action Fraud. Also, bear in mind that the UK has seen a motley collection of pandemic-related scams, including sales of hand sanitizer containing an ingredient banned for human use years ago. They were being sold for £5 a bottle, according to trading standards officers in Birmingham.

Stay safe, wash your hands for 20 seconds a pop, and good luck avoiding the crooks!

Latest Naked Security podcast

If you follow @NakedSecurity on Twitter, you’ll have noticed that we warned last week about an old WhatsApp hoax that suddenly reappeared.

The bogus news is generally known as the “Martinelli hoax”, because it starts like this:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word.

When we last wrote about “Martinelli”, back in 2018, we noted that the hoax was given a breath of believability because the text above was immediately followed by this:

If you receive a message to update the WhatsApp to WhatsApp Gold, do not click!!!!!

This part of the hoax has a ring of truth to it.

Back in 2016, hoax-checking site Snopes reported that malware dubbing itself WhatsApp Gold, was doing the rounds.

The fake WhatsApp was promoted by bogus messages that claimed, “Hey Finally Secret WhatsApp golden version has been leaked, This version is used only by big celebrities. Now we can use it too.”

So WhatsApp Gold was actual malware, and the advice to avoid it was valid, so the initiator of the Martinelli hoax used it to give an element of legitimacy to their otherwise fake warning about the video.

The latest reincarnation of the hoax has kept the text of the original precisely, including the five-fold exclamation points and the weird extra spaces before punctuation marks.

The new hoax even claims that the video first mentioned several years ago still “comes out tomorrow.”

But there’s a new twist this time, with yet another hoax tacked on the end referring to yet another video “that formats your mobile.”

This time, the video is called Dance of the Pope:

Please inform all contacts from your list not to open a video called "Dance of the Pope". It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on BBC radio. Fwd this message to as many as you can!

Ironically, Snopes suggests that this piece of the hoax – which is basically the same as the Martinelli hoax but with a different video name – is even older than the Martinelli part, dating back to 2015.

Quite why the hoax has reappeared now is not clear, though it may have been triggered by March 2020 news headlines about wunderkind Brazilian footballer Martinelli.

Martinelli currently plays for Arsenal in England, but has been tipped to appear in the Brazilian national squad at just 18 years of age; he’s also been the subject of media speculation that he might get poached from Arsenal by Spanish heavyweights Real Madrid.

Is it even possible?

In theory, playing a deliberately booby-trapped video file on your mobile phone could end up in a malware infection, if your phone has an unpatched bug in its media player software that a crook could exploit.

In practice, however, that sort of bug is very rare these days – and typically gets patched very rapidly and reported very widely.

In other words, if the creator of this warning knew enough about the “bug” to predict that it could infect any mobile phone, and could warn you about this “attack” in a video that isn’t even out yet, it’s highly unlikely that you wouldn’t have heard about the actual bug itself either from the vendor of your phone or from the world’s cybersecurity news media.

Additionally, even if there were a dangerous bug of this sort on your phone and your phone were at risk, it’s unlikely that “nothing would fix it”.

As for the imminent and unconquerable danger of an alleged double-whammy video attack of “threats” that first surfaced in 2015 and 2016…

…well, if the videos were supposed to “come out tomorrow” more than four years ago, we think you can ignore them today.

What to do?

• Don’t spread unsubstantiated or already-debunked stories online via any messaging app or social network. There’s enough fake news at the moment without adding to it!
• Don’t be tricked by claims to authority. Anyone can write “they announced it today on BBC radio,” but that doesn’t tell you anything. For all you know, the BBC didn’t mention it at all, or announced it as part of a hoax warning. Do your own research independently, without relying on links or claims in the message itself.
• Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, but you can’t make someone safer by “protecting” them from something that doesn’t exist. All you are doing is wasting everyone’s time.
• Don’t forward a cybersecurity hoax because you think it’s an obvious joke. What’s obvious to you might not be to other people, and your comments may get repeated as an earnest truth by millions of people.
• Don’t follow the advice in a hoax “just in case”. Cybersecurity hoaxes often offer bogus advice that promises a quick fix but simply won’t help, and will certainly distract you from taking proper precautions.
• Patch early, patch often. Security updates for mobile phones typically close off lots of holes that crooks could exploit, or shut down software tricks that adware and other not-quite-malicious apps abuse to make money off you. Take prompt advantage of updates!
• Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it gives you additional protection not only against unsafe system settings and malware, but also helps to keep you away from risky websites in the first place.
• Don’t grant permissions to an app unless it genuinely needs them. Mobile malware doesn’t need to use fancy, low-level programming booby-traps if you invite it in yourself and then give it more power that it needs or deserves.

Cisco has patched a clutch of high-priority vulnerabilities in its SD-WAN routes and their management software that admins will want to apply as soon as possible.

SD-WAN is a technology that allows large companies to manage different types of Wide Area Network (WAN) communications links such as carrier MPLS, conventional broadband, and mobile 4G as a single virtual entity.

Making SD-WAN work requires specific routers that support it, spread out across the WAN, as well as management software to interact with this infrastructure. It is this software that is vulnerable.

There are five CVEs in total, three of which are rated high, including one, CVE-2020-3266, given a CVSS severity score of 7.8.

The latter is a privilege escalation vulnerability in the SD-WAN management software used with a range of Cisco routers, including the vEdge 100 Series, 1000 Series, 2000 Series, 5000 Series, and Cloud Router.

Also affected are the vBond Orchestrator, vManage Network Management System, and vSmart Controller software.

The other four CVEs are:

• CVE-2020-3264, a buffer overflow affecting the same products, rated high priority.
• CVE-2020-3265, another privilege escalation issue affecting the same products, rated high that could allow a “local attacker to elevate privileges to root on the underlying operating system.”
• CVE-2019-16010, a cross-site scripting (XSS) issue affecting the vManage user interface exploitable by persuading a user to click on a malicious link.
• CVE-2019-16012, a SQL injection flaw affecting vManage which could allow an attacker to send malicious SQL queries to an unpatched system.

What to do

There are no workarounds for any of these – all must be patched to address the vulnerabilities. So far, none are being exploited in the wild.

For all products, the solution is to upgrade to vManage version 19.2.2, although how this is done varies slightly from router to router.

The fixes follow a big round from earlier this month affecting Cisco’s WebEx conferencing software that admins won’t want to skip given the increased demand for this service right now.

Latest Naked Security podcast